DNSSEC why it’s important and why we’re moving…

From the Asia, passing through Europe, to Washington one of the most beautiful city of the United States. Our domain myetv.tv is now parked there, at https://donuts.domains/ and after 10 years we are proud to deserve one of the best registrar in the world with a modern and extended DNSSEC for all the domain extensions out there. In last years the .tv domains in general has suffered an unfair penalty and not every registrar can offer a good DNSSEC infrastructure at this point; the ICANN with the post “What is DNSSEC and why is so important?” stated in 2013 that the DNSSEC should be used by default from every registrars/providers, without difference, but in fact is not like that and most of providers, yet, will not offer the DNSSEC for every domains name (like .tv or any premium domain name).

Protection by DNSSECDNSSEC was developed to enhance the basic security set of DNS and provide some of the necessary, yet initially overlooked layers of security. The extension authenticates the resolution of IP addresses with a cryptographic signature, to make sure that answers provided by the DNS server are valid and authentic.How does DNSSEC work to bolster security?When a DNSSEC-enabled client submits a request to a DNS server that supports DNSSEC, the client includes in the request a cryptographic signature key. One such key exists in the client resolver, while the other exists in the domain’s authoritative DNS server. The resolver then matches its signature to that of the authoritative DNS server. If the resolver is able to match up the signatures, it is assured that the response it received from the Authority has not been tampered with and returns the verified DNS record to the client.The DNSSEC verification process provides users with three core benefits: – Origin Authentication of Data: This feature further validates authority sources, making it harder for malicious third parties to implement man-in-the-middle attacks. – Data Integrity: In this process, records are cryptographically signed. If they were modified during the master/secondary zone, it will show up when resolving a record. – Authenticated Denial of Existence: If a query has no data, authoritative servers can provide a response, which proves that no data exists.When implemented, this mechanism mitigates some key DNS security vulnerabilities such as cache poisoning and certain methods of man-in-the-middle attacks.